infosecwriteups.com Open in urlscan Pro
162.159.153.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write


Published in

InfoSec Write-ups

You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one



Mitchell Telatnik
Follow

Nov 2

·
5 min read
·

Member-only

·

Listen



Save







HOW TO ASSESS ACTIVE DIRECTORY FOR VULNERABILITIES USING TENABLE NESSUS’ ACTIVE
DIRECTORY STARTER SCAN TEMPLATE



The Nessus vulnerability scanner from Tenable is a widely known tool for
conducting vulnerability assessments of networks and devices, such as
workstations, network gear, and servers. While Tenable does have a separate
Active Directory security product called Tenable.ad, one capability of Nessus
(as well as their enterprise solution Tenable.io) that is very rarely talked
about is scanning the Active Directory configuration for vulnerabilities.


VULNERABILITY COVERAGE

Included in Nessus is a scan template called “Active Directory Starter Scan”.
For some reason, it is difficult to find detailed information on this template,
however, according to a blog post from Tenable, this scan runs the following ten
checks on your Active Directory configuration:

 1.  Kerberoasting: A Domain admin or Enterprise admin account is vulnerable to
     the Kerberoasting attack
 2.  Weak Kerberos encryption: The Kerberos encryption is too weak on one user
     account leading to potential credential theft
 3.  Kerberos pre-authentication validation: The Kerberos pre-authentication is
     disabled on one user account leading to potential credential theft
 4.  Non-expiring account password: A user account may never renew its password.
 5.  Unconstrained delegation: Unconstrained delegation is allowed on a computer
     account allowing potential credential theft
 6.  Null sessions: The Anonymous or Everyone group is part of the “Pre-Windows
     2000 Compatible Access” allowing null session attacks
 7.  Kerberos KRBTGT: The Kerberos master key is too old and could be used as a
     backdoor
 8.  Dangerous trust relationship: No security mechanism has been activated on a
     trust relationship allowing lateral movement across AD domains
 9.  Primary Group ID integrity: A potential backdoor using the Group ID has
     been found on a user account
 10. Blank passwords: A user account may use a blank password to authenticate on
     the domain


CREATING CREDENTIALS

Before setting up an Active Directory Starter Scan with Nessus, you’ll need to
provide Nessus with Domain Admin credentials in the form of ADSI. In order to do
that, I recommend creating a service account for Nessus to use.

 1. I created a new user in Active Directory called “NessusScan”



2. Add the user account to the “Domain Admins” group




CONFIGURE SCAN

 1. If using Nessus, create a new scan



2. Select “Active Directory Starter Scan”



3. Under “targets”, enter the IP address for the domain controller



4. Under credentials, select the category miscellaneous, and then ADSI



The four required fields are:

 * Domain Controller: The name of the domain controller for ActiveSync
 * Domain: The name of the NetBIOS domain for ActiveSync
 * Domain Admin: The domain administrator’s username
 * Domain Password: The domain administrator’s password

For my lab, this looks like the following:

 * LAB-DC
 * SECLAB
 * NessusScan
 * *Password*

5. Save the scan and click “launch”, or alternatively, use the schedule feature
during configuration




RESULTS

After exporting the results as an HTML report, we can see two hosts come back
from the scan: the Active Directory Domain Controller(s) as an IP and the Active
Directory Domain Controller(s) configuration (In my case, LAB-DC).



Taking a look at the asset LAB-DC, we see various vulnerabilities that I
purposefully introduced to my Active Directory security lab environment. In this
case, our AD scan found 1 high-severity vulnerability and 3 medium-severity
vulnerabilities.




KERBEROASTING

The high-severity vulnerability we found was Kerberoasting. This is because we
have one or more accounts associated with a Service Principal Name (SPN), making
the credentials vulnerability to brute force.



To see which accounts are affected, we can scroll down to the output section.




KERBEROS PRE-AUTHENTICATION VALIDATION

The first medium-severity vulnerability found was (missing) Kerberos
Pre-authentication Validation. This is a setting that is (and should be) enabled
by default when creating new user accounts, however, it is possible to have it
turned off.



To see which accounts are affected, we can scroll down to the output section.




NON-EXPIRING ACCOUNT PASSWORD

The second medium-severity vulnerability we found was Expiring Account Password,
which are accounts who’s passwords do not expire, and hence can remain unchanged
for prolonged periods.



To see which accounts are affected, we can scroll to the output section.




WEAK KERBEROS ENCRYPTION

The third and final medium-severity vulnerability we found was Weak Kerberos
Encryption. Kerberos can be configured to use various encryption methods. It is
still possible to configure an account to use DES encryption, which is not
secure. By default, new accounts will not be configured to use DES.



To see which accounts are affected, we can scroll to the output section.




CONCLUSION

Nessus and other Tenable products such as Tenable.io are widely used by security
professionals to conduct vulnerability assessments. However, there are many
powerful capabilities, such as auditing Active Directory configurations that are
often not utilized. Next time to you need to get a quick understanding of the
security issues with an Active Directory configuration — reach for your Nessus
scanner!




FROM INFOSEC WRITEUPS: A LOT IS COMING UP IN THE INFOSEC EVERY DAY THAT IT’S
HARD TO KEEP UP WITH. JOIN OUR WEEKLY NEWSLETTER TO GET ALL THE LATEST INFOSEC
TRENDS IN THE FORM OF 5 ARTICLES, 4 THREADS, 3 VIDEOS, 2 GITHUB REPOS AND TOOLS,
AND 1 JOB ALERT FOR FREE!




1





1

1





SIGN UP FOR INFOSEC WRITEUPS


BY INFOSEC WRITE-UPS

Newsletter from Infosec Writeups Take a look.

By signing up, you will create a Medium account if you don’t already have one.
Review our Privacy Policy for more information about our privacy practices.

Get this newsletter


MORE FROM INFOSEC WRITE-UPS

Follow

A collection of write-ups from the best hackers in the world on topics ranging
from bug bounties and CTFs to vulnhub machines, hardware challenges and real
life encounters. In a nutshell, we are the largest InfoSec publication on
Medium.

InfoSec Write-ups

·1 day ago


UPGRADE YOUR INFOSEC KNOWLEDGE AND LEARN FROM THE SPEAKERS AT IWCON 2022

Register today to be a part of the coolest Cybersecurity conference and end 2022
on a bang! — Hello hackers! We at Infosec Writeups are organizing IWCon 2022 —
the second edition of our international cybersecurity conference and networking
event on 17–18 December 2022. The conference is open for cybersecurity
researchers from all over the world, and the entry ticket is just $10. We have
some amazing speakers…

Information Security

2 min read





--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Frank Leitner

·2 days ago


WRITE-UP: REMOTE CODE EXECUTION VIA WEB SHELL UPLOAD @ PORTSWIGGER ACADEMY

This write-up for the lab Remote code execution via web shell upload is part of
my walkthrough series for PortSwigger’s Web Security Academy. Learning path:
Server-side topics → File upload vulnerabilities Lab: Remote code execution via
web shell upload | Web Security Academy Practise exploiting vulnerabilities on
realistic targets. Record your progression from Apprentice to Expert. See
where…portswigger.net

Cybersecurity

3 min read





--------------------------------------------------------------------------------

Ethicalhacker

·3 days ago


HOW I FOUND ACCIDENTALLY COPY-PASTED GMAIL INBOXES

It all started with this text in my own Gmail: — I read about ethical hackers
searching with Google Dorks based on information from known content, like login
pages. Above text did sound promising to check on Google. To my suprise I got
some results in Google. The results in Google showed like 30 hits with the
searched…

Infosec

2 min read





--------------------------------------------------------------------------------

Frank Leitner

·3 days ago


WRITE-UP: FORCED OAUTH PROFILE LINKING @ PORTSWIGGER ACADEMY

This write-up for the lab Forced OAuth profile linking is part of my
walk-through series for PortSwigger’s Web Security Academy. Learning path:
Advanced topics → OAuth authentication Lab: Forced OAuth profile linking | Web
Security Academy This lab gives you the option to attach a social media profile
to your account so that you can log in via OAuth instead…portswigger.net Python
script: script.py

Cybersecurity

4 min read





--------------------------------------------------------------------------------

Nathan Pavlovsky

·4 days ago


PHOENIX CHALLENGES — STACK TWO

The Challenge The challenge’s description and source code are located here. It
and all other Phoenix binaries are located in the /opt/phoenix/amd64 directory.
A previous post describes how to set up the Virtual Machine for these
challenges, if that hasn’t been done already. The File We use the following to
inspect the Stack Two…

Ctf

6 min read





--------------------------------------------------------------------------------

Read more from InfoSec Write-ups


RECOMMENDED FROM MEDIUM

Somnath More

VOICE OVER INTERNET PROTOCOL



Joe

WHAT IS THE CRYPTO WALLET?



Umar Muhammed Ali

LET ME TAKE YOU THROUGH THE BENEFITS OF S-WALLET FOR ALL ITS USERS.



Jaz Inda

in

block42

ICON TRANSPARENCY REPORT — BLOCK42 NOVEMBER



Dexstar🤲🏻🕊️🤍

CRODO UNIQUENESS:



Sam Writes Security

in

Writers’ Blokke

SAVE NOTES WITH PROTECTED-TEXT



Block Talks

BLOCKTALKS X HYPERSIGN AMA TRANSCRIPT!



Ailis Erroll

{UPDATE} EARS CROSSWORD HACK FREE RESOURCES GENERATOR



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP


Get started

Sign In




MITCHELL TELATNIK


300 Followers


Exploring emerging technologies in cybersecurity. Check out my personal blog at
mitchelltelatnik.com


Follow



MORE FROM MEDIUM

TechEducative

THE DIFFERENCE BETWEEN VULNERABILITY, THREAT AND RISK



Nuno Campos

in

Technology Hits

6 AWESOME TEXT EDITORS FOR WINDOWS YOU NEED TO KNOW NOW



nynan

WHAT I LEARNT FROM READING 217* SUBDOMAIN TAKEOVER BUG REPORTS.



Graham Zemel

in

The Gray Area

HOW TO ACCESS THE DARK WEB (SAFELY)



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.